Small physician practices, much like their small commercial business counterparts, have been the primary source of health care related data breaches, according to an analysis of breaches from 2009 to October 2012 released today by the Health Information Trust Alliance (HITRUST).
These smaller medical offices, usually well under 100 employees, lack the IT or information security resources to adequately deal with a wide array of cybercriminals eyeing electronic health records and personal information that has considerable value in the black market.
Since the passing of the HITECH act in 2009 and the mandatory notification of breaches of health care data affecting more than 500 individuals, more attention has been paid to patient data privacy and security.
Overall, HITRUST reports that the health care industry has made relatively few strides in reducing the number of data breaches. For this analysis, 495 breaches were studied. Those breaches exposed 21 million patient records at an estimated cost of $4 billion.
“By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries,” said Daniel Nutkis, chief executive officer, HITRUST in a statement. “While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size.”
The fact that smaller physician practices are being called out isn’t surprising. The Verizon Data Breach Investigations Report made it clear that hackers were targeting SMBs with large-scale automated attacks using commodity malware in many instances. These attacks were against outdated and unsecured point-of-sale systems, or remote management systems reachable online.
Health care organizations are vulnerable to external hacks—the number of them is expected to double this year—but physical theft of laptops in particular continues to be the biggest source of data loss, especially against physician practices and specialty clinics, the report said.
This is in stark contrast to larger practices, hospitals and health plan systems, which experienced a 46 percent decline in breaches from 2010 to 2011. HITRUST expects that number to drop 36 percent this year.
“Larger practices with greater resources appear to be recognizing the problematic threats resulting in breaches, and many seem to be taking actions to prevent future breaches,” the report said.
Of the organizations suffering hacks, most centered around unauthorized access to servers containing personal health information; in most cases the data was sold. Other attacks included phishing scams seeking valid system credentials, attacks that rendered data unusable, or corporate espionage attacks.
Stiff fines for violating the Health Insurance Portability and Accountability Act (HIPAA) have also garnered the attention of organizations. Cignet Health Care of Maryland was hit with a $4.3 million fine last year for violating the HIPAA Privacy Rule – the first such fine. Massachusetts General Hospital was also hit with a $1 million fine for an employee losing patient records. This year, the Alaska Deptartment of Health and Social Services was fined $1.7 million for losing a USB drive containing patient information on 501 individuals.
More and more, third party partners are also being called onto the carpet for their security practices.
Physician practices are increasingly accessing the systems of larger institutions.
“The adoption of electronic health records technology among hospitals has led to ‘community health records’ where physicians utilize a local hospital’s EHR system instead of purchasing their own,” the report said. “This now exposes the hospital to the same risks as the connecting practices, which often lack antimalware, have insecure or no firewalls, and share passwords. These issues in turn may lead to more breaches implicating both parties in the future.”